Thursday, June 21, 2012

Starting from 11.2 its possible to use SSL client certificates to authenticate yourself to a remote web service using SSL client certificates. I did not find much information on it using Google or documentation, that is why I'm writing this post.

Please refer to this post by Tim Hall to get started on connecting to HTTPS service using UTL_HTTP, all of this is needed before continuing with SSL client certificate authentication.

The first thing you need is to generate user certificate request inside Oracle Wallet, sign it by CA and load the returned certificate back to Wallet. I'm not going to very detailed steps here, but basically (using Oracle Wallet Manager OWM):

Open the wallet you created using Tim Hall's post mentioned previously.

Go to Operations > Add Certificate Request

Fill in all the needed fields

After certificate request has been created, go to Operations > Export Certificate Request

Send the request to a Certification Authority (that the remote service trusts) for signing and wait for a reply (in a form of signed certificate)

If you are using 11g OWM/ORAPKI and when importing the user certificate to wallet OWM displays an error or ORAPKI corrupts your wallet, you can just use OWM/ORAPKI programs from 10gR2 database client. This is due to bug Bug 9395937: UNABLE TO IMPORT USER CERTIFICATE IN OWM 11.1, WORKS IN 10.2.

Now the step that is not mentioned in UTL_HTTP documentation and got me stuck for weeks until I opened SR to Oracle Support. The network ACL needs also privileges on the Wallet file using DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL.

After the privileges have been assigned, you can use UTL_HTTP to query remote web service like you do with normal HTTPS connection. If the remote web service requests client to be authenticated using certificates, UTL_HTTP automatically handles it in the background and uses the user certificate located in the wallet. For example:

5 comments:

An organization needs to install the SSL Certificate onto their web server to initiate SSL sessions with browsers. Depending on the type of SSL Certificate applied for, the organization will need to go through differing levels of vetting.

I really appreciate you posting this piece on your blog Ilmar. I've spent the last week pulling my hair out trying to determine why my web service https request wouldn't utilise the client certificate in my Oracle wallet. Never dreamed of looking for use-client-certificates privilege and DBMS_NETWORK_ACL_ADMIN.ASSIGN_WALLET_ACL. Thank you for sharing.